/*
* This is a variant of the Andrew Secure RPC Protocol
* from Clark and Jacob (1997), using message tags rather
* than nonce arithmetic. The protocol is used to exchange
* a session key SK and a session nonce SN. The original protocol is:
*
* A -> B : A, { msg1(Na) }Kab
* B -> A : { msg2(Na, Nb) }Kab
* A -> B : { msg3(Nb) }Kab
* B -> A : { msg4(SK, SN) }Kab
*
* This protocol is flawed, not to mention rather redundant: a
* 3-way handshake is being used for nonce challenges, which are
* then ignored in the final message!
*
* See andrewrpc.cry for a fixed version.
*
* Alan Jeffrey, v0.0.1 2001/02/22
* Christian Haack, modified for v1.1.0 2004/09/09
*/

/*
* We assume that principals are able to securely lookup their shared
* longterm keys. We formally express this by assuming the existence
* of a secure lookup function of the following dependent function type:
*/